Security Fuckup Megathread - v14.1 - Hello, is this a delivery order? - The Something Awful Forums

Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v14.1 - Hello, is this a delivery order?

incoherent: Apr 24, 2004; 01010100011010000111001
00110100101101100011011
000110010101110010

Yeah, i figured. Be dope tho for someone there to be like "i'm that guy" and go through the trouble of obliterating his reputation.

Bonus if equifax is contractually protect him in court.

# ? Oct 4, 2017 03:01

Adbot: ADBOT LOVES YOU

# ? May 13, 2024 21:53

ate shit on live tv: Feb 15, 2004; by Azathoth

Shaggar posted:

background checks are required for doing business with any government entities.

so you are saying professional bureaucrats would get hosed? seems like win/win to me.

# ? Oct 4, 2017 03:12

Shaggar: Apr 26, 2006

yeah I wouldn't entirely be upset about totally eliminating the federal government.

# ? Oct 4, 2017 03:13

ate shit on live tv: Feb 15, 2004; by Azathoth

Shaggar posted:

yeah I wouldn't entirely be upset about totally eliminating the federal government.

the federal government can do great things, but much like cops, the people attracted to that life are the people you don't want in those positions.

# ? Oct 4, 2017 03:23

Lysidas: Jul 26, 2002; John Diefenbaker is a madman who thinks he's John Diefenbaker.; Pillbug

i just had a idea and i dont know how bad/dumb it is

lets say you have a website with a TLS certificate which only supports modern protocols and ciphers (like TLS 1.2, ECDHE ciphers), and you have some clients connecting to some API endpoints over plain HTTP, and having those clients update their poo poo to use HTTPS is unfeasible for various reasons (their ancient environments may not support TLS 1.2 or modern ciphers, etc. etc.)

but you want to use HTTPS as much as possible for everyone else, including people who view the site in a normal web browser

how bad a idea is it to send HSTS headers in HTTPS replies, without redirecting all HTTP traffic to HTTPS? those API endpints will still work over HTTP, but if you connect over HTTPS, then you get HTTPS from then on (and also going to http://thesite.com redirects to HTTPS, so a lot of users might get a HSTS enablement reply pretty quickly)

# ? Oct 4, 2017 13:31

surebet: Jan 10, 2013; ａｖａｔａｒ
ｓｐｅｃｉａｌｉｓｔ

https://www.youtube.com/watch?v=4pgg2LCY8iE&feature=youtu.be&t=2h5m20s

in which the ceo of equifax explains to congress that while they had a fancy ssl cert and ran https on their forward facing stuff, nothing was encrypted at rest because

not exactly sure how something so massive could be the fault of one guy and a missed patch

# ? Oct 4, 2017 14:49

mrmcd: Feb 22, 2003; Pictured: The only good cop (a fictional one).

Lysidas posted:

i just had a idea and i dont know how bad/dumb it is

lets say you have a website with a TLS certificate which only supports modern protocols and ciphers (like TLS 1.2, ECDHE ciphers), and you have some clients connecting to some API endpoints over plain HTTP, and having those clients update their poo poo to use HTTPS is unfeasible for various reasons (their ancient environments may not support TLS 1.2 or modern ciphers, etc. etc.)

but you want to use HTTPS as much as possible for everyone else, including people who view the site in a normal web browser

how bad a idea is it to send HSTS headers in HTTPS replies, without redirecting all HTTP traffic to HTTPS? those API endpints will still work over HTTP, but if you connect over HTTPS, then you get HTTPS from then on (and also going to http://thesite.com redirects to HTTPS, so a lot of users might get a HSTS enablement reply pretty quickly)

This is not really my wheelhouse, but what are you worried about here? That the clients too old and lazy to do HTTPS somehow see the HSTS headers by accident and actually obey it?

AIUI HSTS just tells the browser or whatever "don't ever use http for this domain, even if 'me' tells you not to, ya dingus". It doesn't make your ciphers stronger and I have a hard time thinking of how it could impact a client who thinks HTTPS is "too hard" in tyool 2017.

# ? Oct 4, 2017 14:53

cinci zoo sniper: Mar 15, 2013

surebet posted:

https://www.youtube.com/watch?v=4pgg2LCY8iE&feature=youtu.be&t=2h5m20s

in which the ceo of equifax explains to congress that while they had a fancy ssl cert and ran https on their forward facing stuff, nothing was encrypted at rest because

not exactly sure how something so massive could be the fault of one guy and a missed patch

man you just got to shift to blame to one maintenance tech not manually patching apache struts b/c your automatic verification failed

# ? Oct 4, 2017 14:56

Lysidas: Jul 26, 2002; John Diefenbaker is a madman who thinks he's John Diefenbaker.; Pillbug

it seems fine the more I think about it, HSTS headers are only supposed to be sent or recognized over HTTPS, so if you can successfully connect over HTTPS then it becomes mandatory from then on, if you cant, then fine, you can keep using HTTP

# ? Oct 4, 2017 14:58

Potato Salad: Oct 23, 2014; nobody cares

its me, the one it guy responsible for carryig apache struts + ibm into the second decade of the 21st millennium

I'm definitely the guy at fault, pay no attention to the managers and executives who probably never approved budget requests or took security posture seriously in the headwind of user complaints

# ? Oct 4, 2017 15:03

mrmcd: Feb 22, 2003; Pictured: The only good cop (a fictional one).

Potato Salad posted:

its me, the one it guy responsible for carryig apache struts + ibm into the second decade of the 21st millennium

I'm definitely the guy at fault, pay no attention to the managers and executives who probably never approved budget requests or took security posture seriously in the headwind of user complaints

How much you wanna bet the "lone engineer" is the guy who whined about terrible poo poo being broken and unpatched forever, was ignored, and finally quit in disgust? See we have this paper trail about him mentioning all this broken poo poo he never fixed, and he's not here to defend himself, so...

# ? Oct 4, 2017 15:18

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

Lysidas posted:

lets say you have a website with a TLS certificate which only supports modern protocols and ciphers (like TLS 1.2, ECDHE ciphers), and you have some clients connecting to some API endpoints over plain HTTP, and having those clients update their poo poo to use HTTPS is unfeasible for various reasons (their ancient environments may not support TLS 1.2 or modern ciphers, etc. etc.)

get a signed contract (like, lawyers) from those responsible for the non-modern-tls clients that specifies a private endpoint (probably a different url) for them and shifts liability for damages caused by their use of and your support of plaintext to them, and make their private plaintext endpoint restricted to those particular clients

# ? Oct 4, 2017 15:41

Shame Boy: Mar 2, 2010

Lysidas posted:

it seems fine the more I think about it, HSTS headers are only supposed to be sent or recognized over HTTPS, so if you can successfully connect over HTTPS then it becomes mandatory from then on, if you cant, then fine, you can keep using HTTP

if your clients have "http://whatever" bookmarked and hit the HSTS page at all then their bookmark will show up as that big angry SOMETHING IS HORRIBLY WRONG page

or does HSTS cause the browser to internally automatically redirect? I know it didn't when i was first playing around with it a long time ago but i haven't actually had to check in a while...

# ? Oct 4, 2017 16:38

Lysidas: Jul 26, 2002; John Diefenbaker is a madman who thinks he's John Diefenbaker.; Pillbug

ate all the Oreos posted:

or does HSTS cause the browser to internally automatically redirect?

yeah that

e:

Cocoa Crispies posted:

get a signed contract (like, lawyers) from those responsible for the non-modern-tls clients that specifies a private endpoint (probably a different url) for them and shifts liability for damages caused by their use of and your support of plaintext to them, and make their private plaintext endpoint restricted to those particular clients

that sounds like probably a lot more effort than getting these clients to update their poo poo, and that HTTP API isnt broken, just suboptimal (messages are still cryptographically authenticated, but anyone can see what you are doing, which isnt catastrophic here)

Lysidas fucked around with this message at 16:48 on Oct 4, 2017

# ? Oct 4, 2017 16:46

Potato Salad: Oct 23, 2014; nobody cares

Cocoa Crispies posted:

get a signed contract (like, lawyers) from those responsible for the non-modern-tls clients that specifies a private endpoint (probably a different url) for them and shifts liability for damages caused by their use of and your support of plaintext to them, and make their private plaintext endpoint restricted to those particular clients

No gat dangit we needed this yesterday, as in pronto, I am meeting with shareholders in fifteen minutes and I don't have time to deal with you obstructive guys trying to hold my company hostage with your ridiculous requests, seriously you're making me consider dropping you as a client!

# ? Oct 4, 2017 16:50

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

saying "no" and communicating risks of bad security to management is an important part of security

Lysidas posted:

that sounds like probably a lot more effort than getting these clients to update their poo poo, and that HTTP API isnt broken, just suboptimal (messages are still cryptographically authenticated, but anyone can see what you are doing, which isnt catastrophic here)

working as intended, won't fix

Potato Salad posted:

No gat dangit we needed this yesterday, as in pronto, I am meeting with shareholders in fifteen minutes and I don't have time to deal with you obstructive guys trying to hold my company hostage with your ridiculous requests, seriously you're making me consider dropping you as a client!

working as intended, won't fix

# ? Oct 4, 2017 16:53

Lysidas: Jul 26, 2002; John Diefenbaker is a madman who thinks he's John Diefenbaker.; Pillbug

Cocoa Crispies posted:

working as intended, won't fix

yeah literally this, my intention is "how can i push HTTPS and HSTS as much as possible for people viewing the website, while not having to contact our API clients in any way, let alone breaking their implementations which are probably cobbled togehter in vbscript or classic ASP running on windows server 2003"

# ? Oct 4, 2017 17:09

Carthag Tuek: Oct 15, 2005; Tider skal komme,
tider skal henrulle,
sl�gt skal f�lge sl�gters gang

deprecate their endpoint and create a new https one that will be updated for everyone else

# ? Oct 4, 2017 18:30

incoherent: Apr 24, 2004; 01010100011010000111001
00110100101101100011011
000110010101110010

Powaqoatse posted:

deprecate their endpoint and create a new https one that will be updated for everyone else

Or do an extreme depreciate like those web hosts did in the late 90s after the bubble and consolidated all cheap tier sites to one box and choke them out.

# ? Oct 4, 2017 21:04

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

ate all the Oreos posted:

if your clients have "http://whatever" bookmarked and hit the HSTS page at all then their bookmark will show up as that big angry SOMETHING IS HORRIBLY WRONG page

or does HSTS cause the browser to internally automatically redirect? I know it didn't when i was first playing around with it a long time ago but i haven't actually had to check in a while...

we put HSTS on one of our IIS servers to test, and it doesn't have an HTTPS redirect set up, and if you go to http://that website, it doesn't work, but if you go to https://that website, it does work, and every subsequent connection to http://that website will automatically redirect to https://that website, and i'm assuming that'll remain true until the max age is expired or the browser is told to forget about that header on that domain

# ? Oct 4, 2017 21:15

Perplx: Jun 26, 2004; Best viewed on Orgasma Plasma; Lipstick Apathy

Lysidas posted:

i just had a idea and i dont know how bad/dumb it is

lets say you have a website with a TLS certificate which only supports modern protocols and ciphers (like TLS 1.2, ECDHE ciphers), and you have some clients connecting to some API endpoints over plain HTTP, and having those clients update their poo poo to use HTTPS is unfeasible for various reasons (their ancient environments may not support TLS 1.2 or modern ciphers, etc. etc.)

but you want to use HTTPS as much as possible for everyone else, including people who view the site in a normal web browser

how bad a idea is it to send HSTS headers in HTTPS replies, without redirecting all HTTP traffic to HTTPS? those API endpints will still work over HTTP, but if you connect over HTTPS, then you get HTTPS from then on (and also going to http://thesite.com redirects to HTTPS, so a lot of users might get a HSTS enablement reply pretty quickly)

you should run https only and tell them to get hosed

they should run a vm with a reverse proxy to dumb down https to http on their end, or you know not suck

# ? Oct 4, 2017 22:02

Shame Boy: Mar 2, 2010

anthonypants posted:

we put HSTS on one of our IIS servers to test, and it doesn't have an HTTPS redirect set up, and if you go to http://that website, it doesn't work, but if you go to https://that website, it does work, and every subsequent connection to http://that website will automatically redirect to https://that website, and i'm assuming that'll remain true until the max age is expired or the browser is told to forget about that header on that domain

ah ok, all my stuff is setup to auto-redirect on the server anyway and has been for... years, so i couldn't ever really tell the difference i guess :shrug:

:shrug:

# ? Oct 5, 2017 00:49

vOv: Feb 8, 2014

https://twitter.com/malpedia/status/915261404919287809

# ? Oct 5, 2017 16:17

Proteus Jones: Feb 28, 2013

vOv posted:

https://twitter.com/malpedia/status/915261404919287809

LOL

# ? Oct 5, 2017 16:30

Kuvo: Oct 27, 2008; Blame it on the misfortune of your bark!; Fun Shoe

YOSPOS > Security Fuckup Megathread - v14.0 - DO NOT OPEN THE FUCKIN RANSOMWARE

# ? Oct 5, 2017 17:13

McGlockenshire: Dec 16, 2005; GOLLOCKS!

https://twitter.com/NatashaBertrand/status/915984644746735616

quote:

WASHINGTON�Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

The hackers appear to have targeted the contractor after identifying the files through the contractor�s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

The theft, which hasn�t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

gonna point to this every single time someone says that third party AV is safe and good because clearly MS won't have the same problem

# ? Oct 5, 2017 18:07

Wiggly Wayne DDS: Sep 11, 2010

i'm the nsa contractor taking home classified material and having their av set to upload unknown samples for analysis

# ? Oct 5, 2017 18:11

Shame Boy: Mar 2, 2010

McGlockenshire posted:

https://twitter.com/NatashaBertrand/status/915984644746735616

gonna point to this every single time someone says that third party AV is safe and good because clearly MS won't have the same problem

of course MS won't have the same problem, they're american and the NSA are here to make sure software is secure! why else would they review and test things??

# ? Oct 5, 2017 18:12

Wiggly Wayne DDS: Sep 11, 2010

on a more serious note i'm not sure to attribute that to kaspersky being strongarmed to work with russian intel, or just a lucky find when their sigint arm trawls all av unknown sample uploads for interesting phrases/targets

# ? Oct 5, 2017 18:13

Jenny Agutter: Mar 18, 2009

did that happen post Snowden? because it seems insane that people can still exfiltrate data that easily

# ? Oct 5, 2017 19:32

Just-In-Timeberlake: Aug 18, 2003

was this posted? because goddamn

https://arstechnica.com/information-technology/2017/10/yahoo-says-all-3-billion-accounts-were-compromised-in-2013-hack/

quote:

"We recently obtained additional information and, after analyzing it with the assistance of outside forensic experts, we have identified additional user accounts that were affected," Yahoo officials wrote in the update. "Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected."

# ? Oct 5, 2017 20:49

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Just-In-Timeberlake posted:

was this posted? because goddamn

https://arstechnica.com/information-technology/2017/10/yahoo-says-all-3-billion-accounts-were-compromised-in-2013-hack/

yeah, kinda, but the wsj article is paywalled

WAR DOGS OF SOCHI posted:

lol oops

https://www.wsj.com/articles/yahoo-triples-estimate-of-breached-accounts-to-3-billion-1507062804

# ? Oct 5, 2017 20:53

Just-In-Timeberlake: Aug 18, 2003

anthonypants posted:

yeah, kinda, but the wsj article is paywalled

dump the url in outline.com

https://outline.com/AY7c9G

# ? Oct 5, 2017 20:56

duz: Jul 11, 2005; Come on Ilhan, lets go bag us a shitpost

Jenny Agutter posted:

did that happen post Snowden? because it seems insane that people can still exfiltrate data that easily

reality winner was post snowden as well

# ? Oct 5, 2017 20:59

Main Paineframe: Oct 27, 2010

McGlockenshire posted:

https://twitter.com/NatashaBertrand/status/915984644746735616

gonna point to this every single time someone says that third party AV is safe and good because clearly MS won't have the same problem

beautiful

the guy took NSA viruses home and put them on his home computer, where his antivirus detected them as potentially malicious files and sent them to the antivirus company. and since the company was Russian, the NSA couldn't just demand that the company delete it and forget it ever happened

# ? Oct 5, 2017 21:53

akadajet: Sep 14, 2003

McGlockenshire posted:

https://twitter.com/NatashaBertrand/status/915984644746735616

gonna point to this every single time someone says that third party AV is safe and good because clearly MS won't have the same problem

remember that early yospos thing where cozpop malware took a screenshot of kaspersky not doing it's job on a computer downloading a ton of german porn? lol

# ? Oct 5, 2017 22:05

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

the biggest risk in infosec is your self-important fuckhead users who won't report when something is wrong until months later http://www.politico.com/story/2017/10/05/john-kelly-cell-phone-compromised-243514

# ? Oct 5, 2017 22:42

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

akadajet posted:

remember that early yospos thing where cozpop malware took a screenshot of kaspersky not doing it's job on a computer downloading a ton of german porn? lol

No but now I'd like to know more

# ? Oct 5, 2017 22:56

Rufus Ping: Dec 27, 2006; I'm a Friend of Rodney Nano

Volmarias posted:

No but now I'd like to know more

# ? Oct 5, 2017 23:19

Adbot: ADBOT LOVES YOU

# ? May 13, 2024 21:53

Mo_Steel: Mar 7, 2008; Let's Clock Into The Sunset Together; Fun Shoe

Rufus Ping posted:

Of course there are multiple "cleaning" and "tune-up" desktop icons. :allears:

:allears:

# ? Oct 5, 2017 23:22

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v14.1 - Hello, is this a delivery order?

Powered by: vBulletin Version 2.2.9 (SABB-v2.24.05)
Copyright ©2000, 2001, Jelsoft Enterprises Limited.
Copyright ©2024, Jeffrey of YOSPOS